I am working on a Spring Boot application where existing user authentication is based on Oauth2 with 2FA. Now, I would like to call the APIs in my application from the third-party client as well, say from another service.
Basically, I would like to develop one auth API, where on providing a valid client name, valid API key, and API secret, the client will get an auth token, which will be valid for say 1 hour. Then this auth token can be passed in all successive API invocation until the token gets expired.
I found a few articles here:
a. Securing Spring Boot API with API key and secret
b. How to secure spring Boot API with API key and secret
c. how to implement api key secure in spring boot?
d. How to config multiple level authentication for spring boot RESTful web service?
But, I am not getting any concrete idea regarding, how to achieve this.
Could you please suggest how can I achieve this? Thanks
Related
I'm developing an app.
Front/bff/api.
I'm using an open id provider that allows to check token remotely.
The bff intercepts the front requests and sends them to the API with the jwt token in the header.
The api should ask the open ip provider if the token is correct (but remotely, not using the offline mode with the public key ).
The api is a spring boot 3.0.1 project.
How to configure security in spring boot 3.0.1 to do that check?
Thank you in advance.
You do that with access-token introspection. In spring-security conf, that means using opaqueToken() instead of jwt() (the first configures a resource-server with introspection and the second with a JWT decoder).
Be aware that token introspection is far less efficient than using a JWT decoder as a request is sent to the authorization-server for each and every request to a resource-server. Tutorial there.
I registered the app in an azure ad, and I have application id(client id) and directory id (tenant id), and secret key.
using this need to generate the jwt token in the azure ad and need to validate that token.
once the token generate need to call the third-party API's using that token in spring boot application.
please provide some example
To achieve the above requirement. You can take Reference of this Post to call the third-party Api using the JWT token using spring boot application.
In the above, there is tutorial they have built a Spring Boot Application that supports Token based Authentication with JWT. Please refer the section How to configure Spring Security to work with JWT that might be solution of requirement.
Looking for suggestions on how to go about with microservices authorisation.
I'm using the spring/spring boot for all them microservices
I'm able to authenticate via spring cloud gateway before reaching the actual microservices using JWT tokens however when it comes to authorisation i'm unsure on how to do it.
I would like handle the authorisation internally for each of the endpoints in the business microservice.
Is there a way to pass the JWT token to the microservice or do i need to call the authserver to get the roles within the user ?
Actually, both works.
You can put the roles in the token, when you need it, decode it. Or decode it in the gateway and pass it all the way.
If you don't want to put too much data in the token, you can call the auth server as needed.
I have to implement a OAUTH 2.0 server application , i know how oauth 2.0 works but when i have googled on how to implement, everywhere i am getting spring boot with oauth 2.0 and my requirement is i should give two URL's to the client
one to get the access_code and second rest call to get the access_token, is there a way that i can get this from spring boot or spring security ? in Memory storage for tokens.
I tried using spring boot oauth examples but none of them are giving separate URL's for access_code and access_token.
I think you mean you are delivering the API part:
* Client authenticates against an OAuth endpoint and gets an access token
* Client calls API with an access token
* API must validate access token
Typically you'll code the API - and use an out of the box Authorization Server for the OAuth endpoint
To answer your question properly it would help to know what type of client (partner back end / UI etc)
There will be a bunch of messages between client, API and Authorization Server - this post may give you some ideas:
https://authguidance.com/2017/09/26/basicspa-oauthworkflow/
I may be able to help you with the spring boot stuff once I understand your scenario better
I have an api running on spring boot along with spring security.
The app manages state with JWTs. The initial call issues a fresh JWT and all subsequent calls need to have it to get through spring security.
There is a new requirement for a couple of new endpoints (with uniquely identifiable resource paths)that are secured through basic auth. There would be no need for JWTs in this context.
So my question is, is it even possible to get both JWTs & Basic auth going in a single boot application ? Is it valid to think that I could direct auth requests to different auth filters/providers using an antMatcher on the resource path ?